North Carolina proposes law requiring data breaches to be reported in 15 days

North Carolina Attorney General Josh Stein and State Rep. Jason Saine introduced legislation this week that would give organizations only 15 days to report a data breach to consumers and the attorney general.

The bill is drastically different from HIPAA requirements, which give healthcare providers 60 days from the time a breach is discovered to report a breach to the public, affected patients and the U.S. Department of Health and Human Services.

Officials argue the “quick notification will allow consumers to freeze their credit across all major credit reporting agencies and take other preventative measures to prevent identity theft before it occurs.”

If passed, it would give North Carolina one of the toughest breach notification laws in the U.S.

The bill would also allow consumers to place and lift a credit freeze on their credit report at any time, for free. According to the bill’s fact sheet, this would prevent a hacker from using the consumer’s stolen data to open a fraudulent credit line.

The bill would also provide free access to credit reports from the three credit reporting agencies to consumers affected by a breach. While many organizations often provide this to consumers, it’s not required by all states.

In fact, the proposal would require breached consumer reporting agencies like Equifax to provide consumers five years of free credit monitoring to those impacted.

“A business that suffers a breach and failed to maintain reasonable security procedures will have committed a violation of the Unfair and Deceptive Trade Practices Act and each person affected by the breach represents a separate and distinct violation of the law,” according to the proposal.

The proposed legislation is a direct response to the massive increase in consumers impacted by data breaches in the state. More than 5.3 million North Carolina consumers were impacted by 1,022 data breaches in 2017, Stein said.

“This number is staggering and unacceptable. North Carolina’s laws on this issue are strong – but they need to be even stronger,” said Stein in a statement.

Hacking and phishing were the biggest breach causes in the state, which mirrors the healthcare industry. As these attacks become more commonplace, healthcare organizations can expect further proposed legislation from both state and federal governments.

For example, Sen. Bill Nelson, D-Florida, introduced a bill in December that would impose criminal penalties on executives who deliberately attempt to conceal data breaches and require all U.S. organizations to notify consumers of a breach within 30 days.

The bill was a direct response to news that Uber hid a 2016 data breach that impacted 57 million users.